Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; http.uri; content:!".swf"; nocase; content:!".flv"; nocase; content:!"/crossdomain.xml"; http.header; content:"x-flash-version|3a|"; fast_pattern; content:!"/crossdomain.xml"; content:!".swf"; nocase; content:!".flv"; nocase; content:!"[DYNAMIC]"; content:!"sync-eu.exe.bid"; http.host; pcre:"/^[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)/i"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; classtype:trojan-activity; sid:2022894; rev:9; metadata:created_at 2016_06_14, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_04;)